NIST guides civilian infosec buys

NIST Special Publication 800-23 (PDF)

The National Institute of Standards and Technology late last week released

its final guidelines on civilian agency procurement of information security


Under the new guidelines, NIST Special Publication 800-23, NIST recommends

that agencies acquire security products that have undergone independent

testing and evaluation.

"Federal agencies should give substantial consideration in IT procurement

and deployment for IT products that have been evaluated and tested by independent

accredited laboratories against appropriate security specifications and

requirements," the guide states.

The main type of testing recommended by the publication is the international

Common Criteria Evaluation and Validation Program, overseen in the United

States by the National Information Assurance Partnership under NIST and

the National Security Agency.

Using the Common Criteria Cvaluation, agencies can be assured that the security

products will perform the way a vendor promises. The products are tested

by private-sector laboratories accredited by the NIAP.

NIST cautions, however, that agencies still need to make sure a security

product fits into their overall architecture and needs because a Common

Criteria-tested product may not be the best security product for an agency

to buy.

"It is important to note that purchasing an evaluated product just because

it is evaluated, and without due consideration of applicable functional

and assurance requirements, may be neither useful nor cost-effective," the

guide states.


  • Defense
    DOD photo by Senior Airman Perry Aston  11th Wing Public Affairs

    How DOD's executive exodus could affect tech modernization

    Back-to-back resignations raise concerns about how things will be run without permanent leadership in key areas from policy to tech development.

  • Budget
    cybersecurity (vs148/

    House's DHS funding bill would create public-private cyber center

    The legislation would give $2.25 billion to DHS' cyber wing and set up an integrated cybersecurity center with other agencies, state and local governments and private industry.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.